Using SSH

Secure Shell: Secure communications

SSH (Secure Shell) lets you connect from one computer to another over a network and execute commands, transfer files, or get a command prompt. It uses strong cryptography to protect the data in transit and also to authenticate both the user and the server. SSH is found on most modern Unix-like operating system and serves as a drop-in replacement for TELNET, FTP, rlogin, rsh, and rcp, none of which use strong cryptography by default. Without strong cryptography, an attacker may be able to hijack your connection and steal your data or gain access to one of your systems. Such attacks aren’t just threoretical—we’ve seen them happen at IU.

Obtaining and using SSH

SSH consists of several programs which, depending on the version you get, may be graphical or command-line only. Either way, there will be a client program the user runs directly and a server program that handles incoming requests on the server. The SSH suite also includes utilities for managing the keys used to authenticate on both ends.

On the command line

The sshd program must be started on the server before any SSH connections can take place. It listens for connections from client computers, and when it receives a connection, it performs authentication and starts serving the client. The client program issued by users is simply ssh:

% ssh host.example.edu

% ssh host.example.edu uptime

The first form authenticates the user and then opens a new shell on the remote computer (host.example.edu in this example). The latter form executes the uptime command on the remote computer.

When started, ssh connects to the sshd service on the server computer, verifies that the server really is the computer to which it wanted to connect, exchanges encryption keys (in a manner which prevents an attacker from getting the keys), and performs authentication using public key authentication or conventional password based authentication. The server then typically starts an interactive shell or user program.

Connection forwarding

TCP/IP connections can be “forwarded” over SSH’s secure channel. SSH creates a port on one side, and whenever a connection is opened to this port, that connection’s data is passed over the secure channel to the remote host. For routine use, you can configure SSH to create forwards automatically every time it is run. Forwarding can also be used to run remote X11 programs safely.